Privacy Notice

  1. Introduction
    1. The new General Data Protection Regulation (GDPR) comes into effect from 25 May 2018. The regulations are an EU wide initiative, but will be brought into UK Law, superseding the existing Data Protection Act 1998.
    2. Our Privacy Notice describes how we collect and use your personal data in accordance with Data Protection Legislation and Regulations.
  2. About Us
    1. Townsend Harrison Limited is a firm of Chartered Accountants and Business Advisors.
    2. We are registered in England and Wales as a limited company, with registered company number 04457437.
    3. Our Registered office address is 13 Yorkersgate, Malton, North Yorkshire, YO17 7AA.
    4. For the purpose of the Data Protection Legislation and this notice, we are the ‘data controller’. This means that we are responsible for deciding how we hold and use personal data about you. We are required under the Data Protection Legislation to notify you of the information contained in this privacy notice.
    5. The Data Protection Point of Contact is responsible for assisting with enquiries in relation to the privacy notice or our treatment of your personal data.
  3. What is Personal Data?
    1. Personal data is data which, by itself, or with other data available to us, can be used to identify you.
  4. How do we collect your personal data?
    1. Most of the personal data that we hold is provided by you directly, either in our initial meetings, or subsequently when you contact us by telephone, email and post. We may also hold data that you supplied through an enquiry on our web page.
    2. We may obtain personal data indirectly from other third parties, including:
      1. publicly available resources, (e.g.Companies House or the Electoral Roll);
      2. third parties associated with the provision of our services to you (e.g. HM Revenue and Customs (HMRC));
      3. third parties, (e.g. credit control and other agencies) providing information to identify you in connection with our anti money laundering obligations.
      4. third parties, where the third party engages us to provide services, (e.g. if your employer asks us to provide accountancy services or payroll services. In the latter case we are acting as the data processor.
      5. your prior accountant, financial advisor, investment broker or other contact, with your consent.
    3. Where you access our services via the internet, or use cloud based services, e.g. Kashflow and the Exchange, we may capture personal data including your IP and MAC address.
  5. What type of information do we hold about you?
    1. The individual data items we hold about you may include the following;
      1. full name (including any prior names where applicable) and personal details, including contact information (e.g. home address and address history, email address, home and mobile telephone numbers);
      2. sex (male or female);
      3. date and place of birth and / or death if applicable;
      4. nationality;
      5. information about your family where relevant to the provision of services to you (e.g. details of your marital status, date of marriage / separation / divorce, the number and ages of your dependents);
      6. financial and taxation detail (e.g. salary and other income, your employer details, Unique Taxpayer Reference, Tax District and Accounts office reference, and NI number);
      7. where you use technology to access our products and services (e.g. if you use our web page contact form, cloud based accounting systems and cloud based client portal), your IP or MAC address;
      8. data used to identify you for the purposes of anti money laundering regulations (e.g. your photograph, passport number, drivers license number);
      9. a digital representation (scan) of your signature.
    2. We also hold the following information about you, which may include personal data;
      1. details of contact we have had with you in relation to the provision, or the proposed provision, of our services;
      2. details of any services you have received from us;
      3. our correspondence and communications with you;
      4. information about any complaints and enquiries you make to us;
      5. information from research, surveys, and marketing activities;
      6. information we receive from other sources, such as publicly available information, and information provided by your employer.
  6. How do we use your personal data, and what is the legal basis for that use?
    We process your personal data:

    1. As necessary to perform a contract with you (i.e. the provision of services outlined in our Letter of Engagement) or to perform a contract with a third party, where you may be an employee, subcontractor, supplier or customer of our client e.g.;
      1. to gather information prior to commencement of that contract, to determine the services you need;
      2. to decide whether to enter into that contract;
      3. to manage and perform the contract;
      4. to keep our records up to date; and
      5. to contact you about your account.
    2. As necessary for our own legitimate interests provided that those interests do not override any of your own interests, rights and freedoms which require the protection of personal data e.g.;
      1. for good governance, accounting and managing our own business operations; and
      2. for research, marketing, analysis and statistical purposes.
    3. As necessary to comply with a legal obligation, e.g.;
      1. when you exercise your rights under the data protection regulations and request access to your data;
      2. for compliance with legal and regulatory requirements and related disclosures;
      3. for activities relating to the prevention, detection and investigation of a crime; and
      4. to verify your identity and complete anti money laundering checks.

        Please note that we may process your personal data without your knowledge or consent, in accordance with this notice, where we are legally required to do so.

    4. Based on your consent, e.g.;
      1. when you request us to disclose your personal data to other people or organisations, or where you agree to such disclosure (e.g. where you ask us to provide information to a financial advisor, bank or other lender);
      2. to send you marketing communications, where you have given us consent; and
      3. where we process any special categories of personal data about you at your request (for example, where we provide payroll services, we may need to process details about trade union membership in order to deduct and pay over levies.)

      Where we process personal information based on your consent, you have the right to withdraw consent for that specific use, at any time. The consequence might be that we cannot do certain things for you. We will advise you of any limitation to our service when you contact us to withdraw consent.

      Once we have received notification that you have withdrawn your consent, we will no longer process your personal information (personal data) for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.

      If you wish to withdraw consent, please email us at

      Please note that we may process your personal data for more than one lawful basis depending on the specific purpose for which we are using your data.

      In some circumstances we may anonymise or pseudonymise personal data so that it can no longer be associated with you, in which case we may use it without further notice to you.

      If you refuse to provide us with certain information when requested, we may not be able to perform the contract we have entered into with you. Alternatively, we may be unable to comply with our legal or regulatory obligations.

  7. Do we use automated decision making and processing?
    1. Automated decision making involves processing your personal data without human intervention to evaluate our economic position, needs, preferences, interests or behaviours.
    2. We may use automated decision making to analyse statistics for our own legitimate interests, to protect our business and to develop and improve our products and services.
    3. We may also use automated decision making, e.g. to identify clients with specific characteristics or financial circumstances, where such identification is necessary to perform a contract with you or to take steps to enter into a contract with you.
  8. How long do we hold your personal data?
    1. We will only retain your personal data for as long as is necessary to fulfil the purposes for which it is collected.
    2. When assessing what retention period is appropriate for your personal data, we take into consideration:
      1. the requirements of our business and the services provided;
      2. any statutory or legal obligations;
      3. the purposes for which we originally collected the personal data;
      4. the lawful grounds on which we based our processing;
      5. the types of personal data we have collected;
      6. the amount and categories of your personal data; and
      7. whether the purpose of the processing could reasonably be fulfilled by other means.
  9. What happens if we need to use personal data for a different purpose?
    1. Where we need to use your personal data for another reason, other than for the purpose for which we collected it, we will only use your personal data where that reason is compatible with the original purpose.
    2. Should it be necessary to use your personal data for a new purpose, we will notify you and communicate the legal basis which allows us to do so before starting any new processing.
  10. Who do we share your personal data with and why?
    1. We will share your personal data with third parties where we are required by law, where it is necessary to administer the relationship between us or where we have another legitimate interest in doing so.
    2. In an emergency, we may share personal data to protect your interests.
    3. Examples of third parties with whom we may share your data are listed below:
      1. government bodies and agencies in the UK, e.g. HMRC and Companies House, in connection with the provision of services to you;
      2. government bodies e.g. SOCA, to fulfill our anti money laundering obligations;
      3. courts, the police service and other regulatory bodies / third parties, where required to do so by law;
      4. our professional supervisory body, the Institute of Chartered Accountants in England & Wales (ICAEW);
      5. subcontractors and other advisors or product providers e.g. specialist taxation consultants, fee protection providers, where necessary to provide services to you;
      6. subcontractors and other product providers who may process your data, for example to produce accounts, payroll or tax returns, under our supervision, in order to fulfill our contract with you.
      7. providers of cloud based accountancy software and cloud portal services e.g. Kashflow and the Exchange;
      8. other third parties, to protect the security or integrity of our business operations e.g. our professional indemnity insurance provider;
      9. where we restructure or sell our business or its assets, or are involved in a merger or re-organisation, we may share your personal data. In this event we will take appropriate measures to ensure that client personal data continues to be secure, in accordance with data protection legislation. If a change happens to our business, then the new owners may use our client personal data in the same way as set out in these terms.
      10. anyone else, where we have your consent e.g. your financial advisor, investment manager, a new accountant, bank or other lender;
  11. Is data always retained in the EU?
    1. Your data may be transferred outside the UK and European Economic Area for data storage and management purposes.
    2. We may also transfer your data outside of the UK and European Economic Area for processing, to perform a contract of services for you.
    3. While some countries have adequate protections for personal data under applicable laws, in other countries steps will be necessary to ensure appropriate safeguards are applied. These may include imposing additional contractual obligations.
  12. How secure is your data?
    1. We have put in place commercially reasonable and appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
    2. We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
  13. What are your rights / duties under the Data Protection Regulations?
    1. Your duty to inform us of changes.
      1. It is important that the personal data we hold about you is accurate and current.
      2. Should your personal information change, please notify us of any changes of which we need to be made aware by using the Change of Personal Information form available on our website at or telephoning the office on 01653 693259 to request a hard copy of this form to be sent to you. Please POST the completed form back to us.
    2. Your rights in connection with personal data.
      Under certain circumstances, by law you have:
      1. the right to be informed about our processing of your personal data. This privacy notice is required by this right.
      2. the right to have your personal data corrected if it is inaccurate and to have incomplete personal data completed;
      3. right to object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this basis. You also have the right to object where we are processing your personal information for direct marketing purposes;
      4. right to request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it;
      5. right to have your personal data erased (the right to be forgotten). This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing;
      6. right to request access to your personal data. This enables you to receive details of the personal data we hold about you and to check that we are processing it lawfully;
      7. right to move, copy or transfer your personal data to you or another data controller if the processing is based on consent, carried out by automated means and this is technically feasible (data portability) and;
      8. rights in relation to automated decision making.
    3. If you wish to exercise your right to request access to your personal data, as outlined in clause 13.2 (f) above, please download, print, complete and send to us by post, the Data Subject Access Request Form, by clicking in this link [Data Subject Access Report Form].
    4. To exercise any of the other rights listed above, please email our data protection point of contact using the email address
    5. You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
    6. We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
  14. Changes to this Notice
    1. Any changes we may make to our privacy notice in the future will be updated on our website at
    2. This privacy notice was last updated on 10 September 2018 (v1.2)
  15. Contact Us
    1. If you have any questions regarding this notice or if you would like to speak to us about the manner in which we process your personal data, please email our Data Protection Point of Contact via or telephone on 01653 693259.
  16. Your Right to Complain to the ICO
    1. You have the right to make a complaint to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues, at any time. The ICO’s contact details are as follows:
    2. Information Commissioner’s Office
      Wycliffe House
      Water Lane Wilmslow Cheshire SK9 5AF

      Telephone – 0303 123 1113 (local rate) or 01625 545 745

      Website –